aws
diff --git a/‎src/main/java/software/amazon/encryption/s3/S3AsyncEncryptionClient.java
+182-1 b/‎src/main/java/software/amazon/encryption/s3/S3AsyncEncryptionClient.java
+182-1
@@ -18,6 +18,7 @@
 import software.amazon.awssdk.services.s3.model.ObjectIdentifier;
 import software.amazon.awssdk.services.s3.model.PutObjectRequest;
 import software.amazon.awssdk.services.s3.model.PutObjectResponse;
+import software.amazon.awssdk.services.s3.model.S3Request;
 import software.amazon.encryption.s3.internal.GetEncryptedObjectPipeline;
 import software.amazon.encryption.s3.internal.NoRetriesAsyncRequestBody;
 import software.amazon.encryption.s3.internal.PutEncryptedObjectPipeline;
@@ -41,6 +42,10 @@
 
 import static software.amazon.encryption.s3.internal.ApiNameVersion.API_NAME_INTERCEPTOR;
 
+/**
+ * This client is a drop-in replacement for the S3 Async client. It will automatically encrypt objects
+ * on putObject and decrypt objects on getObject using the provided encryption key(s).
+ */
 public class S3AsyncEncryptionClient extends DelegatingS3AsyncClient {
 
     private final S3AsyncClient _wrappedClient;
@@ -60,16 +65,51 @@ private S3AsyncEncryptionClient(Builder builder) {
         _enableMultipartPutObject = builder._enableMultipartPutObject;
     }
 
+    /**
+     * Creates a builder that can be used to configure and create a {@link S3AsyncEncryptionClient}.
+     */
     public static Builder builder() {
         return new Builder();
     }
 
-    // Helper function to attach encryption contexts to a request
+
+    /**
+     * Attaches encryption context to a request. Must be used as a parameter to
+     * {@link S3Request#overrideConfiguration()} in the request.
+     * Encryption context can be used to enforce authentication of ciphertext.
+     * The same encryption context used to encrypt MUST be provided on decrypt.
+     * Encryption context is only supported with KMS keys.
+     * @param encryptionContext the encryption context to use for the request.
+     * @return Consumer for use in overrideConfiguration()
+     */
     public static Consumer<AwsRequestOverrideConfiguration.Builder> withAdditionalEncryptionContext(Map<String, String> encryptionContext) {
         return builder ->
                 builder.putExecutionAttribute(S3EncryptionClient.ENCRYPTION_CONTEXT, encryptionContext);
     }
 
+    /**
+     * See {@link S3AsyncClient#putObject(PutObjectRequest, AsyncRequestBody)}.
+     * <p>
+     * In the S3AsyncEncryptionClient, putObject encrypts the data in the requestBody as it is
+     * written to S3.
+     * </p>
+     * @param putObjectRequest the request instance
+     * @param requestBody
+     *        Functional interface that can be implemented to produce the request content in a non-blocking manner. The
+     *        size of the content is expected to be known up front. See {@link AsyncRequestBody} for specific details on
+     *        implementing this interface as well as links to precanned implementations for common scenarios like
+     *        uploading from a file.
+     * @return A Java Future containing the result of the PutObject operation returned by the service.<br/>
+     *         The CompletableFuture returned by this method can be completed exceptionally with the following
+     *         exceptions.
+     *         <ul>
+     *         <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client).
+     *         Can be used for catch all scenarios.</li>
+     *         <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get
+     *         credentials, etc.</li>
+     *         <li>S3EncryptionClientException Base class for all encryption client specific exceptions.</li>
+     *         </ul>
+     */
     @Override
     public CompletableFuture<PutObjectResponse> putObject(PutObjectRequest putObjectRequest, AsyncRequestBody requestBody)
             throws AwsServiceException, SdkClientException {
@@ -106,6 +146,29 @@ private CompletableFuture<PutObjectResponse> multipartPutObject(PutObjectRequest
         return pipeline.putObject(putObjectRequest, noRetryBody);
     }
 
+    /**
+     * See {@link S3AsyncClient#getObject(GetObjectRequest, AsyncResponseTransformer)}
+     * <p>
+     * In the S3AsyncEncryptionClient, getObject decrypts the data as it is read from S3.
+     * </p>
+     * @param getObjectRequest the request instance.
+     * @param asyncResponseTransformer
+     *        The response transformer for processing the streaming response in a non-blocking manner. See
+     *        {@link AsyncResponseTransformer} for details on how this callback should be implemented and for links to
+     *        precanned implementations for common scenarios like downloading to a file.
+     * @return A future to the transformed result of the AsyncResponseTransformer.<br/>
+     *         The CompletableFuture returned by this method can be completed exceptionally with the following
+     *         exceptions.
+     *         <ul>
+     *         <li>NoSuchKeyException The specified key does not exist.</li>
+     *         <li>InvalidObjectStateException Object is archived and inaccessible until restored.</li>
+     *         <li>SdkException Base class for all exceptions that can be thrown by the SDK (both service and client).
+     *         Can be used for catch all scenarios.</li>
+     *         <li>SdkClientException If any client side error occurs such as an IO related failure, failure to get
+     *         credentials, etc.</li>
+     *         <li>S3EncryptionClientException Base class for all encryption client exceptions.</li>
+     *         </ul>
+     */
     @Override
     public <T> CompletableFuture<T> getObject(GetObjectRequest getObjectRequest,
                                                            AsyncResponseTransformer<GetObjectResponse, T> asyncResponseTransformer) {
@@ -119,6 +182,15 @@ public <T> CompletableFuture<T> getObject(GetObjectRequest getObjectRequest,
         return pipeline.getObject(getObjectRequest, asyncResponseTransformer);
     }
 
+    /**
+     * See {@link S3AsyncClient#deleteObject(DeleteObjectRequest)}.
+     * <p>
+     * In the S3 Encryption Client, deleteObject also deletes the instruction file,
+     * if present.
+     * </p>
+     * @param deleteObjectRequest the request instance
+     * @return A Java Future containing the result of the DeleteObject operation returned by the service.
+     */
     @Override
     public CompletableFuture<DeleteObjectResponse> deleteObject(DeleteObjectRequest deleteObjectRequest) {
         final DeleteObjectRequest actualRequest = deleteObjectRequest.toBuilder()
@@ -136,6 +208,15 @@ public CompletableFuture<DeleteObjectResponse> deleteObject(DeleteObjectRequest
         return instructionResponse.thenApplyAsync(deletion);
     }
 
+    /**
+     * See {@link S3AsyncClient#deleteObjects(DeleteObjectsRequest)}.
+     * <p>
+     * In the S3 Encryption Client, deleteObjects also deletes the instruction file(s),
+     * if present.
+     * </p>
+     * @param deleteObjectsRequest the request instance
+     * @return A Java Future containing the result of the DeleteObjects operation returned by the service.
+     */
     @Override
     public CompletableFuture<DeleteObjectsResponse> deleteObjects(DeleteObjectsRequest deleteObjectsRequest) throws AwsServiceException,
             SdkClientException {
@@ -149,6 +230,9 @@ public CompletableFuture<DeleteObjectsResponse> deleteObjects(DeleteObjectsReque
                 .build());
     }
 
+    /**
+     * Closes the wrapped {@link S3AsyncClient} instance.
+     */
     @Override
     public void close() {
         _wrappedClient.close();
@@ -174,6 +258,14 @@ private Builder() {
         }
 
         /**
+         * Specifies the wrapped client to use for the actual S3 request.
+         * This client will be used for all async operations.
+         * You can pass any S3AsyncClient implementation (e.g. the CRT
+         * client), but you cannot pass an S3AsyncEncryptionClient.
+         * @param wrappedClient the client to use for S3 operations.
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
+        /*
          * Note that this does NOT create a defensive clone of S3Client. Any modifications made to the wrapped
          * S3Client will be reflected in this Builder.
          */
@@ -187,41 +279,77 @@ public Builder wrappedClient(S3AsyncClient wrappedClient) {
             return this;
         }
 
+        /**
+         * Specifies the {@link CryptographicMaterialsManager} to use for managing key wrapping keys.
+         * @param cryptoMaterialsManager the CMM to use
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder cryptoMaterialsManager(CryptographicMaterialsManager cryptoMaterialsManager) {
             this._cryptoMaterialsManager = cryptoMaterialsManager;
             checkKeyOptions();
 
             return this;
         }
 
+        /**
+         * Specifies the {@link Keyring} to use for key wrapping and unwrapping.
+         * @param keyring the Keyring instance to use
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder keyring(Keyring keyring) {
             this._keyring = keyring;
             checkKeyOptions();
 
             return this;
         }
 
+        /**
+         * Specifies a "raw" AES key to use for key wrapping/unwrapping.
+         * @param aesKey the AES key as a {@link SecretKey} instance
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder aesKey(SecretKey aesKey) {
             this._aesKey = aesKey;
             checkKeyOptions();
 
             return this;
         }
 
+        /**
+         * Specifies a "raw" RSA key pair to use for key wrapping/unwrapping.
+         * @param rsaKeyPair the RSA key pair as a {@link KeyPair} instance
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder rsaKeyPair(KeyPair rsaKeyPair) {
             this._rsaKeyPair = new PartialRsaKeyPair(rsaKeyPair);
             checkKeyOptions();
 
             return this;
         }
 
+        /**
+         * Specifies a "raw" RSA key pair to use for key wrapping/unwrapping.
+         * This option takes a {@link PartialRsaKeyPair} instance, which allows
+         * either a public key (decryption only) or private key (encryption only)
+         * rather than requiring both parts.
+         * @param partialRsaKeyPair the RSA key pair as a {@link PartialRsaKeyPair} instance
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder rsaKeyPair(PartialRsaKeyPair partialRsaKeyPair) {
             this._rsaKeyPair = partialRsaKeyPair;
             checkKeyOptions();
 
             return this;
         }
 
+        /**
+         * Specifies a KMS key to use for key wrapping/unwrapping. Any valid KMS key
+         * identifier (including the full ARN or an alias ARN) is permitted. When
+         * decrypting objects, the key referred to by this KMS key identifier is
+         * always used.
+         * @param kmsKeyId the KMS key identifier as a {@link String} instance
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder kmsKeyId(String kmsKeyId) {
             this._kmsKeyId = kmsKeyId;
             checkKeyOptions();
@@ -253,31 +381,79 @@ private boolean onlyOneNonNull(Object... values) {
             return haveOneNonNull;
         }
 
+        /**
+         * When set to true, decryption of objects using legacy key wrapping
+         * modes is enabled.
+         * @param shouldEnableLegacyWrappingAlgorithms true to enable legacy wrapping algorithms
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder enableLegacyWrappingAlgorithms(boolean shouldEnableLegacyWrappingAlgorithms) {
             this._enableLegacyWrappingAlgorithms = shouldEnableLegacyWrappingAlgorithms;
             return this;
         }
 
+        /**
+         * When set to true, decryption of content using legacy encryption algorithms
+         * is enabled. This includes use of GetObject requests with a range, as this
+         * mode is not authenticated.
+         * @param shouldEnableLegacyUnauthenticatedModes true to enable legacy content algorithms
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder enableLegacyUnauthenticatedModes(boolean shouldEnableLegacyUnauthenticatedModes) {
             this._enableLegacyUnauthenticatedModes = shouldEnableLegacyUnauthenticatedModes;
             return this;
         }
 
+        /**
+         * When set to true, authentication of streamed objects is delayed until the
+         * entire object is read from the stream. When this mode is enabled, the consuming
+         * application must support a way to invalidate any data read from the stream as
+         * the tag will not be validated until the stream is read to completion, as the
+         * integrity of the data cannot be ensured. See the AWS Documentation for more
+         * information.
+         * @param shouldEnableDelayedAuthenticationMode true to enable delayed authentication
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder enableDelayedAuthenticationMode(boolean shouldEnableDelayedAuthenticationMode) {
             this._enableDelayedAuthenticationMode = shouldEnableDelayedAuthenticationMode;
             return this;
         }
 
+        /**
+         * When set to true, the putObject method will use multipart upload to perform
+         * the upload. Disabled by default.
+         * @param _enableMultipartPutObject true enables the multipart upload implementation of putObject
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder enableMultipartPutObject(boolean _enableMultipartPutObject) {
             this._enableMultipartPutObject = _enableMultipartPutObject;
             return this;
         }
 
+        /**
+         * Allows the user to pass an instance of {@link Provider} to be used
+         * for cryptographic operations. By default, the S3 Encryption Client
+         * will use the first compatible {@link Provider} in the chain. When this option
+         * is used, the given provider will be used for all cryptographic operations.
+         * If the provider is missing a required algorithm suite, e.g. AES-GCM, then
+         * operations may fail.
+         * Advanced option. Users who configure a {@link Provider} are responsible
+         * for the security and correctness of the provider.
+         * @param cryptoProvider the {@link Provider to always use}
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder cryptoProvider(Provider cryptoProvider) {
             this._cryptoProvider = cryptoProvider;
             return this;
         }
 
+        /**
+         * Allows the user to pass an instance of {@link SecureRandom} to be used
+         * for generating keys and IVs. Advanced option. Users who provide a {@link SecureRandom}
+         * are responsible for the security and correctness of the {@link SecureRandom} implementation.
+         * @param secureRandom the {@link SecureRandom} instance to use
+         * @return Returns a reference to this object so that method calls can be chained together.
+         */
         public Builder secureRandom(SecureRandom secureRandom) {
             if (secureRandom == null) {
                 throw new S3EncryptionClientException("SecureRandom provided to S3EncryptionClient cannot be null");
@@ -286,6 +462,11 @@ public Builder secureRandom(SecureRandom secureRandom) {
             return this;
         }
 
+        /**
+         * Validates and builds the S3AsyncEncryptionClient according
+         * to the configuration options passed to the Builder object.
+         * @return an instance of the S3AsyncEncryptionClient
+         */
         public S3AsyncEncryptionClient build() {
             if (!onlyOneNonNull(_cryptoMaterialsManager, _keyring, _aesKey, _rsaKeyPair, _kmsKeyId)) {
                 throw new S3EncryptionClientException("Exactly one must be set of: crypto materials manager, keyring, AES key, RSA key pair, KMS key id");